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Specificarion Amendment 

Paragraph 0027 has been amended to refer to a "key handling unit/' The 
association between the key handling unit and the TPM is set forth in original 
claim 32, for example, and would be understood by those familiar with the 
TCPA specification. 

Withdrawal of the rejections and allowance of the claims are respectfully 
requested. 

The Commissioner is authorized to charge any additional fees which 
may be required or credit overpayment to deposit account no. 08-2125. In 
particular, if this response is not timely filed, then the Commissioner is 
authorized to treat this response as including a petition to extend the time 
period pursuant to 37 CFR 1.136 (a) requesting an extension of time of the 
number of months necessary to make this response timely filed and the petition 
fee due in connection therewith may be charged to deposit account no. 08-2125. 
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Please amend the following paragraphs of the specification in the 
manner indicated: 

[0011] The present invention relates to a computing 
platform which has a secure key-handling unit arranged to 
store a storage root key that forms the root node of a 
tree-structured node hierarchy the npn-leaf nodes of which, 
other than the root node, each comprise, in encrypted form, 
a key used to encrypt the or each of its child nodes, and 
insecure storage for storing the hierarchy nodes other 
than the root node. The kev-handling unit has (i) a memory 
for storing a current decryption-root key; (ii) a 
decrvpted-access arrangement arranged to restrict decrypted 
access to the hierarchy nodes to those nodes decryptable by 
a chain of decryption rooted in said current decryption- 
root key; and (iii) a current-decryption-root setting 
arrangement for storing in said memory, in decrypted form, 
the key of a selected non-leaf node of said hierarchy to 
serve as said current decryption-root key, the current- 
decryption-root setting arrangement enabling the selected 
non-leaf node to be changed- is basod in part on tho 
observation that proviouo platform hiotory is irrolovant 
#e-£= — Doftwaro provided that all — traces of previous — software 
have been unloaded or existing ooftwaro is benign — (ouch as 
a protected compartment OS) . — In thcoo caooo/ — tho operation 
of software is unaffected by software that previously 
executed on the platform^ — Software implementing a process 
may bo considered to be — "protected software" f — and tho 
procoss a "protected process"/ — when a mechanism expected to 
resist subversion provides a bonign environment for that 
software/process to execute. — That mechanism may; — of courso/ 
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itoolf bo a protoctod procoso, — Tho ciocision to roloaoo 
socrots — for uoo by ooftwaro can thoroforo bo mado puroly on 
tho basifj of knowing that tho particular ooftwaro about to 
bo OKOCUtod will bo protQctod ooftv/arc. — &e-? — if a TPM 
"knov^yg" — that protoctod software — is about to bo — started^ — 
TPM can safoly roloaso the socrots — for that protoctod 
software without — knowing tho history of proviously - oxocutod 
software as roprosontod/ — for oxamploy — by PGR values. 

[0012] In one embodiment, the setting arrangement is 
arranged to permit the selected non-leaf node, and thereby 
the decryption-root key, to be changed only upon a 
predetermined set of at least one condition being met. The 
at least one predetermined condition may comprise the 
receipt by the key handling unit of an authorization value 
indicative of particular digital data. In that case the 
authorization value is preferably a digest of a protected 
process associated with the node that is intended to be the 
new selected non-leaf node. In one embodiment, the at least 
one predetermined condition may comprise that a protected 
process, associated with the node that is intended to be 
the new selected non-leaf node, is about to be run bv the 
computing platform. I n another embodiment, the at least one 
predetermined condition may comprise that the key-handling 
apparatus is requested to change the selected non-leaf node 
bv a root of trust of the computing platform. In tho context 
of the TCPA architecture/ — a primary aspect of the present 
invention is concerned with arranging for secrets 
associated with a protected process to bo released to the 
process by the TPM when tho latter has received assurance 
that — it is safe to do so. — In a preferred embodiment/ — this 
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involvoG tho uoo of a "dynamic root koyV that io QOGOciatod 
with the protQctod proccQG to bo run/ — the koy itoolf 
forming part of tho koy hierarchy otorod in Protoctod 
Storago . — — dynamic — root — koy v/ill — gcnorally — form the — root 
of a hierarchy of objects QGOOciatcd v^ith the protected 
procQOO/ — with the cryptographic use of the — koy and the 
cryptographic ■ protection procooDCO of thio ■ hierarchy being 
carried out either by tho TPM or by tho protected process. 
Tho TPM makes the dynamic root — koy available for use only 
upon - authorization by a trustable source — (for example / — et 
hardware root - of - trust or another protected process such as 
a protoctod compartment OS) — that is responsible for 
ensuring that the process - associated with the dynamic root 
key is protected — (which may simply bo bocauso tho protected 
process — is the only process — oxecuting) , — The TPM uoeo any 
appropriate means ^ — physical or virtual^ — to verify that the 
authorization came from such a trustable source. 
Preferably/ — tho authorisation required by the TPM before 
making the dynamic root key available/ — is a digest of tho 
protected process, 

[0013] Preferably, upon st:art up of the computing 
platform, the node at the head of the hierarchy forms the 
selected non-leaf node. Where the protected - process 
hierarchy based on tho dynamic root key io to be proceooed 
by the TPM/ — when tho protected procesD — i-s — — (or about to 
be run) / — the associated dynamic root key is installed in 
the TPM to act as tho root of a hierarchy of — (external) 
data objects instead of tho SRK, — Access to parts of the key 
hierarchy that require ascent from tho dynamic root key is 
prohibited. 
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[0014] Preferably the key-handling unit is arranged always 

to hold securely the node at the head of the hierarchy, in 
unencrypted form. Where — the protoctod - procQOO — hierarchy 
baocd on the dynamic root — key io — to be procoGSod by the 
protQCtod procQOD — itself^ — v>yhQn the protoctod procooo io run 
(or about to bo run) — the dynamic root koy is roloasod to 
tho protootod procooo. — 

[0015] Although an embodiment of the present invention is 
described herein hao boon outlined above in the context of 
the TCPA architecture, it is of broader application. 

[0016] Moro particularly, — according to one aopoct of tho 
prooont — invention, — thoro — io provided a method of managing 
an hierarchy of nodoo manipulated by procoooing apparatus/ 
tho method comprising a stop of permitting accoos to a 
particular nodo of tho hierarchy only after rocoiving a 
roliablo indication that a mechanism oxpoctod to resist 
subversion will attempt to onforoo appropriate access 
restrictions on that node and any doocondont nodoo. 

[0017] In a proforrod embodiment of this method, — t4=i^ 

aforesaid mechanism is a protoctod procosG — executing in a 
benign — operating environment v^^ithin tho — apparatus / — tho 
method further comprising using a trusted source to 
establish or initiate establishment of tho mechanism and to 
generate said roliablo indication accordingly. 

[0018] According to another aspect of tho present 
invention/ — thoro — is provided processing- apparatus — for 
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managing an hierarchy of nodosy — tho apparatus compriQing an 
accoss-control arrangomont for pormitting accoos to a 
particular nodo of the hierarchy only upon rocoiving a 

reliable — indication that — a mechanism expected to — resist 
subversion will attempt to enforce appropriate accQDO 
restrictions — on that nodo and any doscondont nodes. — 

[0019] According to yot another aspect of tho prooont 
invontion>> — there is provided processing apparatus 
comprising a — key - handling unit — for handling a tree- 
structured hierarchy in which each non - loaf nodo comprises 
a key used to encrypt the or each of its child nodes/ — fefee 
hierarchy including/ — below its top level/ — a node comprising 
a particular — key associated with a protected process 
executable by the processing apparatus; — the key - handling 
unit being arranged to make said particular key available 
for use in relation to the protected process upon receipt 
both of authorisation to do so and an indication that the 
authorisation is provided by a trusted source that is 
arranged to provide this authorisation^ — and to initiate or 
permit execution of said protected process/ — only after 
verifying the presence of a benign operating environment 
within the apparatus — for said protected process. 

[0020] According to a further aspect of the present 
invention/ — there — is provided processing apparatus 
comprising a key - handling unit for handling a tree - 
structured key hierarchy; — fefee — key - handling unit being 
arranged to treat a selected nodo of tho hierarchy as the 
current root nodo such that those parts of tho hierarchy 
that can only bo — reached by ascent — from tho current — root 
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nodo arc inaccQooiblO/ — the koy-handling unit including an 
arrangcmont for changing the node of the hierarchy oorving 
etB — oaid current root nodo. — 

[0021] According to q still further aopQct of the present 
invention/ — there is provided a tree - structured key 
hierarchy with multiple nodes serving as root nodes 
dividing the hierarchy into different parts only accessible 
from corresponding root nodes. 

[0027] FIG. 1 illustrates a trusted Trusted Platform Module 
(TPM) 10 with its normal Protected Storage data-object 
hierarchy 12 (also referred to below as a key hierarchy) . 
The TPM's Storage Root Key (SRK) 11 resides permanently 
inside the TPM 10. The SRK 11 is used to encrypt ("wrap") 
keys Kl-1, Kl-2, Kl-3 etc. that form the next level of the 
hierarchy. Key Kl-1, which in this case is preferably a 
non-migratable key, itself wraps further keys K2-1, K2-2, 
etc. The hatched outer annulus around each key in the FIG. 
1 key hierarchy 12 is a graphical indication that each key 
is wrapped (encrypted) . A key in the hierarchy 12 can only 
be decrypted by " the TPM 10 upon presentation to the latter 
of authorizations in respect of the ancestor keys in the 
hierarchy. A key-handling unit is part of the TPM 10. 
According to the TCPA specification, the TPM 10 has 
functionality for managing the Protected Storage hierarchy 
12 — this functionality is called a ^^key-handling unit^^ 
herein. 



